问题描述

我在一个应用程序中使用ASP.NET MVC 1.0工作，我试图注入一个自定义IPrincipal对象到HttpContext.Current.User对象。

通过传统的WebForms应用程序，我已经使用了Application_AuthenticateRequest事件要做到这一点如下：

 保护无效Application_AuthenticateRequest（对象发件人，EventArgs的发送）
    {
        如果（HttpContext.Current.User！= NULL）
        {
            如果（HttpContext.Current.User.Identity.IsAuthenticated）
            {
                如果（HttpContext.Current.User.Identity是FormsIdentity）
                {
                    //获取表单的身份从当前用户
                    FormsIdentity ID =（FormsIdentity）HttpContext.Current.User.Identity;
                    //获取表单门票从身份对象
                    的FormsAuthenticationTicket票= id.Ticket;
                    //创建一个新的通用主体实例，并分配给当前用户
                    SiteUser siteUser =新SiteUser（Convert.ToInt32（id.Name））;                    HttpContext.Current.User = siteUser;
                }
            }
        }    }
 

所以使用这个我能够通过显式铸造用户对象键入SiteUser访问我的自定义的IPrincipal。我实际上是由具有的所有页面都从这样做的封面，我下继承的自定义类这样做。

不管怎样，我的问题是，与ASP.NET MVC的Application_AuthenticateRequest似乎火，只要任何请求时（因此对于JS文件，图像等），这会导致应用程序死掉。

任何帮助或建议，我怎么可以去ASP.NET MVC 1.0之内注入我的自定义的IPrincipal到HttpContext.Current.User对象将大大AP preciated。我没有看到所以下面的职位，但它似乎并没有满足我想要实现：http://stackoverflow.com/questions/1064271/asp-net-mvc-set-custom-iidentity-or-iprincipal

TIA。

This isn't an uniquely MVC problem - if you ran your application on IIS7 with the integrated pipeline in place then you would see the same thing.

If the problem with the lookup is scalability then I assume the actual problem is within

FormsAuthenticationTicket ticket = id.Ticket;
SiteUser siteUser = new SiteUser(Convert.ToInt32(id.Name));

I'd guess that your SiteUser class does some sort of database lookup. If you examine how forms auth works the ticket contains all the information necessary to produce a FormsIdentity (this doesn't hold true for roles, unless you specifically enable roles caching to a cookie). So you ought to look at the same approach. The first time you construct your siteUser object cache it within a signed cookie, then use the cookie to rehydrate your SiteUser properties on subsequent requests.

If you do this then you can go one step further, replacing the Thread principle with your SiteUser, or at least a custom IPrincipal/IUser combination which has the same information as your SiteUser class would have.

So inside AuthenticateRequest you'd have some flow like

SiteUserSecurityToken sessionToken = null;
if (TryReadSiteUserSecurityToken(ref sessionToken) && sessionToken != null)
{
    // Call functions to attach my principal.
}
else
{
    if (HttpContext.Current.User != null &&
        HttpContext.Current.User.Identity.IsAuthenticated &&
        HttpContext.Current.User.Identity is FormsIdentity)
    {
        // Get my SiteUser object

        // Create SiteUserSecurityToken

        // Call functions to attach my principal.
    }
}

And the function to attach the principal would contain something like

HttpContext.Current.User = sessionSecurityToken.ClaimsPrincipal;
Thread.CurrentPrincipal = sessionSecurityToken.ClaimsPrincipal;
this.ContextSessionSecurityToken = sessionSecurityToken;

You'll want to make sure that the functions which write the Security Token to a cookie add, at a minimum, a checksum/MAC value, and, if you like, support encryption using the machine key if it's configured to do so. The read functions should validate these values.

这篇关于ASP.NET MVC自定义的IPrincipal注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！